Jason Miller, 2005-02-02
Recent events have shown that the way security in the Linux kernel is handled is broken, and it needs to be fixed right now.
Colapse all |
Post comment
Linux Kernel Security is Lacking
2005-02-02
Anonymous (1 replies)
Anonymous (1 replies)
Linux Kernel Security is Lacking
2005-02-04
Anonymous (5 replies)
Anonymous (5 replies)
If you say things like this it shows you are fool with no concept of coding practices or the facts about code quality and security. The numbers don't lie and the numbers say Linux has more bugs, are more severe, get handles and fixed slower. The only reason Linux isn't getting beat up like swiss c...
[ more ] [ reply ]
[ more ] [ reply ]
"The numbers" and (deliberate?) failure to undestand what linux is
2005-02-07
RedHat not Linux User. (1 replies)
RedHat not Linux User. (1 replies)
When you say "the numbers", it's funny that you don't say which numbers. Is that perhaps because if we knew which numbers, it would turn out that you were counting the same Linux bugs once for each distribution? Would it turn out that these were the discredited ones released under Microsoft contra...
[ more ] [ reply ]
[ more ] [ reply ]
Re: The "numbers" and (deliberate?) failure to undestand what linux is
2005-02-07
Jason V. Miller (Author) (1 replies)
Jason V. Miller (Author) (1 replies)
First of all, let me start by thanking you for putting together a well thought-out response to my article.
?Just as, when you have a problem with BIND on HP, you should contact HP, when you have a security problem with the "linux" in RedHat, then you should contact RedHat. If the problem isn't pr...
[ more ] [ reply ]
?Just as, when you have a problem with BIND on HP, you should contact HP, when you have a security problem with the "linux" in RedHat, then you should contact RedHat. If the problem isn't pr...
[ more ] [ reply ]
Linux Kernel Security is Lacking
2005-02-11
Torian
Torian
First of all ... Linux is a kernel, not an operating system. Defacement has almost nothing to do with kernel stuff, but a web server misconfiguraction (Apache). Usually when a defacement takes place, it is becouse some web coder didnt get his job well done when double checking for flows in his code...
[ more ] [ reply ]
[ more ] [ reply ]
Linux Kernel Security is Lacking
2005-02-03
Anonymous (1 replies)
Anonymous (1 replies)
Sorry this guy misses a critical point.
Linux hidden stuff is no more hidden than microsoft.
Ie the developers channels find and fix stuff fast if there is a breach risk.
Note distro developers make up a large section core of the linux kernel as you would expect this is normal.
No centra...
[ more ] [ reply ]
Linux hidden stuff is no more hidden than microsoft.
Ie the developers channels find and fix stuff fast if there is a breach risk.
Note distro developers make up a large section core of the linux kernel as you would expect this is normal.
No centra...
[ more ] [ reply ]
Linux Kernel Security is Lacking
2005-02-04
Jason V. Miller (Author)
Jason V. Miller (Author)
?Linux hidden stuff is no more hidden than Microsoft.?
This has nothing to do with my article. Also, please don't respond with anything ?no more X than Microsoft?. This isn't an argument, and pointing at another operating system that may or may not be affected more seriously by any given issue a...
[ more ] [ reply ]
This has nothing to do with my article. Also, please don't respond with anything ?no more X than Microsoft?. This isn't an argument, and pointing at another operating system that may or may not be affected more seriously by any given issue a...
[ more ] [ reply ]
Linux Kernel Security is Lacking
2005-02-03
Todd Knarr (1 replies)
Todd Knarr (1 replies)
That's odd. OK, it's a given that a single point of contact for security is probably a good thing. That said, where's the problem locating contact information currently? In the root of the source tree is a file called, appropriately enough, MAINTAINERS. It lists the person responsible for each part ...
[ more ] [ reply ]
[ more ] [ reply ]
Linux Kernel Security is Lacking
2005-02-04
Jason V. Miller (Author) (1 replies)
Jason V. Miller (Author) (1 replies)
?To report a security problem in a component, it seems like a simple enough task to look up the component in MAINTAINERS and send the report to the maintainer of that component.?
As detailed in the referenced Bugtraq post (see the article), e-mail messages to individual contributors (Linus and An...
[ more ] [ reply ]
As detailed in the referenced Bugtraq post (see the article), e-mail messages to individual contributors (Linus and An...
[ more ] [ reply ]
Linux Kernel Security is Lacking
2005-02-05
Todd Knarr (1 replies)
Todd Knarr (1 replies)
I hate to say it, but reporting this should be easy. First step is obviously to report it to the maker of your distribution, since they may have (almost certainly have) applied patches not in the general kernel. They'll report it further up the chain if appropriate. If you're using a vanilla kernel,...
[ more ] [ reply ]
[ more ] [ reply ]
Linux Kernel Security is Lacking
2005-02-09
Joe Borsits (1 replies)
Joe Borsits (1 replies)
I think the point he is really trying to make is that by having a dedicated team as a single point of contact may actually stream line the procees, and in effect speed up response time... All in all I think this is a very good idea. The current process works but I see this as a suggestion of how thi...
[ more ] [ reply ]
[ more ] [ reply ]
Linux Kernel Security is Lacking
2005-02-09
Todd Knarr (1 replies)
Todd Knarr (1 replies)
A dedicated team might speed up responses, but it may also slow them down. For a lot of security problems you need not just someone who knows security but someone who knows the portion of the kernel involved. And here's another kicker: what happens when you report a security problem to the kernel te...
[ more ] [ reply ]
[ more ] [ reply ]
Linux Kernel Security is Lacking
2005-02-03
Anonymous (1 replies)
Anonymous (1 replies)
Really good points...
However, i think there is a huge difference between having a contact point to report security issues, and having a fix for a security issue...
Many have been surprised, if not shocked by the recent disclosure in the linux kernel, but i'm not sure that the situation is SO ...
[ more ] [ reply ]
However, i think there is a huge difference between having a contact point to report security issues, and having a fix for a security issue...
Many have been surprised, if not shocked by the recent disclosure in the linux kernel, but i'm not sure that the situation is SO ...
[ more ] [ reply ]
Linux Kernel Security is Lacking
2005-02-04
Jason V. Miller (Author) (1 replies)
Jason V. Miller (Author) (1 replies)
?Just a last: saying that it's to "the developers to take responsibility for the security of the kernel" is quite un-realistic, as actually no end-user license grant any "responsability" for security of delivered products. I don't say that it's right, but that's the real world.?
I mean personal r...
[ more ] [ reply ]
I mean personal r...
[ more ] [ reply ]
Really?
2005-02-03
Anonymous
Anonymous
1. There is a contact list in the documentation directory for direct email. Use this IF you use the "bleeding edge" kernels. It is more likely a "bug", that has security associated with it.
2. If you get your kernel from a vendor, contact the vendor. RH has a contact list, as does - I believe - t...
[ more ] [ reply ]
2. If you get your kernel from a vendor, contact the vendor. RH has a contact list, as does - I believe - t...
[ more ] [ reply ]
I eagerly await...
2005-02-03
Anonymous (5 replies)
Anonymous (5 replies)
...the author's comments on Windows kernel security. If this is what he thinks about Linux kernel security, they should be truly devastating. However, I expect a resoundng silence in reply.
Best,
Mal the Elder
...
[ more ] [ reply ]
Best,
Mal the Elder
...
[ more ] [ reply ]
I eagerly await...
2005-02-03
Anonymous (2 replies)
Anonymous (2 replies)
I'm curious... what is the last kernel-level vulnerability discovered and patched for the current XP kernel? There were plenty of updates in SP2, but I don't recall if any of the recent vulnerabilities were kernel level.
The trick with the closed source development model is that we don't know wh...
[ more ] [ reply ]
The trick with the closed source development model is that we don't know wh...
[ more ] [ reply ]
I eagerly await...
2005-02-04
Anonymous
Anonymous
"That was the thrust of the article. Comparing that to Windows, where a single vendor has end to end responsibility, is unfair at best."
Windows wasn't mentioned anywhere in the entire article.
Whatever the state of security in the Windows NT kernel, it matters little. The Linux kernel has som...
[ more ] [ reply ]
Windows wasn't mentioned anywhere in the entire article.
Whatever the state of security in the Windows NT kernel, it matters little. The Linux kernel has som...
[ more ] [ reply ]
I eagerly await...
2005-02-07
Anonymous
Anonymous
Who cares? The article addresses Linux security, not Windows. To the extent that I'm a Linux user/admin & want the project to continue as successfully as so far, I agree with the basic premise that the security processes need some simple tidying up. How it compares to Windows is irrelevant...
[ more ] [ reply ]
[ more ] [ reply ]
I eagerly await...
2005-02-04
Anonymous (1 replies)
Anonymous (1 replies)
I am always amazed by linux zealots. When faced with some truth about some of there poor security practises they immediately attack MS instead of saying "oh yeah we better fix that". Until this idiotic mentally disappears from the linux community we will never be all that we can be. Wake UP, linux l...
[ more ] [ reply ]
[ more ] [ reply ]
I eagerly await...
2005-02-09
Anonymous
Anonymous
First, security and design flaws can be very different things. I don't think there is a statement that there are fundemental design flaws in Linux, there are security flaws in the coding of Linux. These need to be addressed in a manner which is centralized and accessible to the people who find the...
[ more ] [ reply ]
[ more ] [ reply ]
Re: I eagerly await...
2005-02-04
Anonymous (1 replies)
Anonymous (1 replies)
This is not a comparison. Better than windows is not an answer to security. The author has demonstrated 2 distinct problems in how linux kernel security is handled.
This is not a question of who has more buffer overflows, it's a proactive approach to secure development and adequate response....
[ more ] [ reply ]
This is not a question of who has more buffer overflows, it's a proactive approach to secure development and adequate response....
[ more ] [ reply ]
Computer Security is Oxymoron - FYI reading here:
2005-02-03
Anonymous (1 replies)
Anonymous (1 replies)
Something is being done. GRSecurity has issues with the way it is being done. But, you can read the following and guess that whatever is being done will only work if the kernel gets locked down and fixes are made on it for the next few years. Students in advanced computer programs could test and ...
[ more ] [ reply ]
[ more ] [ reply ]
Computer Security is Oxymoron No Longer
2005-02-07
Kernel hacker
Kernel hacker
Sorry, close but no cigar. Your sources are all excellent and still very good, but they are all based on a system that tries to limit what users can do. Would it not be better to use an approach that said no to everything, except what you granted permissions to. This is indeed a shameless plug for o...
[ more ] [ reply ]
[ more ] [ reply ]
So, what now about kernel security?
2005-02-03
Anonymous (2 replies)
Anonymous (2 replies)
A bunch of things need to be said here.
First of all, this article fails to note a couple things about Spengler's original advisory. It does not mention that Spengler's idea of "vendor notification" was to send an e-mail direct to Linus Torvalds, rather than to the LKML or the relevant maintainer...
[ more ] [ reply ]
First of all, this article fails to note a couple things about Spengler's original advisory. It does not mention that Spengler's idea of "vendor notification" was to send an e-mail direct to Linus Torvalds, rather than to the LKML or the relevant maintainer...
[ more ] [ reply ]
So, what now about kernel security?
2005-02-04
Jason V. Miller (Author) (2 replies)
Jason V. Miller (Author) (2 replies)
?It does not mention that Spengler's idea of "vendor notification" was to send an e-mail direct to Linus Torvalds, rather than to the LKML or the relevant maintainer of that section of the kernel (and as a different poster mentioned, it doesn't take much effort to track down who maintains a particul...
[ more ] [ reply ]
[ more ] [ reply ]
So, what now about kernel security?
2005-02-05
Anonymous
Anonymous
"Firstly, I don't think that the LKML is an appropriate forum to discuss security vulnerabilities."
Perhaps not to disclose, but a mail to the list, saying 'Who's responsible for section YYY in the kernel, the MAINTAINERS file isn't clear on this' to the kernel list would no doubt have resulted i...
[ more ] [ reply ]
Perhaps not to disclose, but a mail to the list, saying 'Who's responsible for section YYY in the kernel, the MAINTAINERS file isn't clear on this' to the kernel list would no doubt have resulted i...
[ more ] [ reply ]
So, what now about kernel security?
2005-02-07
Anonymous
Anonymous
Stop being so defensive. It's obvious there's room for improvement in the process to be followed by a researcher who's found a hole. Convention says you mail 'security@...', if you're feeling helpful you might cast around on a web site or google for a contact, failing that give em 28 days to respond...
[ more ] [ reply ]
[ more ] [ reply ]
Linux Kernel Security is Lacking
2005-02-04
Neo
Neo
Hmmm ....there is enough contact info out there if you really/badly want to get in touch with the developers.There isnt a problem there and i dont quiet understand the very purpose of this article , the author starts out pointing to a potential problem for which there is a fix already coming out (al...
[ more ] [ reply ]
[ more ] [ reply ]
Linux Kernel Security is Lacking
2005-02-04
TJ (1 replies)
TJ (1 replies)
Gee, what a surprise! Linux has security issues? Who would've thought? Why aren't these issues reported with such fanfare as a Windows issue? Do I sense Linux bias??...
[ more ] [ reply ]
[ more ] [ reply ]
Linux Kernel Security is Lacking
2005-02-05
Jiim
Jiim
Its not as reported because of the vast difference in empirical aspects of the exploitations people observe.
MS have long relied on the claim that as they have the largest footprint of systems on the net then it follows they will suffer the most exploits (proportionality) and it is not a reflecti...
[ more ] [ reply ]
MS have long relied on the claim that as they have the largest footprint of systems on the net then it follows they will suffer the most exploits (proportionality) and it is not a reflecti...
[ more ] [ reply ]
flamer ! is not having an hidden mailing = we do'n't care about security
2005-02-04
Alban Browaeys (1 replies)
Alban Browaeys (1 replies)
your point is based on one idea :
security = hidden mailing list
This has been discussed in the LKML quite extnsively. You can argue on that but only telling your point of view while removing even the lead upstream developper comments, you are only doing politics.
The point is that security r...
[ more ] [ reply ]
security = hidden mailing list
This has been discussed in the LKML quite extnsively. You can argue on that but only telling your point of view while removing even the lead upstream developper comments, you are only doing politics.
The point is that security r...
[ more ] [ reply ]
flamer ! is not having an hidden mailing = we do'n't care about security
2005-02-04
Jason V. Miller (Author)
Jason V. Miller (Author)
"your point is based on one idea: security = hidden mailing list"
With regard to the first point, you're partially right. The Linux kernel needs a security *team*. That includes having a central point of contact to handle security issues.
"Your arguments are good. If only you took the time to ...
[ more ] [ reply ]
With regard to the first point, you're partially right. The Linux kernel needs a security *team*. That includes having a central point of contact to handle security issues.
"Your arguments are good. If only you took the time to ...
[ more ] [ reply ]
Linux Kernel Security is Lacking
2005-02-04
Keshav Jha
Keshav Jha
As Mentioned by other users indeed every Linux Distro has a central point of contact as well as each line of code has the developer's email. Linux is based on security by transparency and is doing well to all communities whether school, business or Non profit organistaions. Also if you have the skil...
[ more ] [ reply ]
[ more ] [ reply ]
Linux Kernel Security is Lacking
2005-02-05
Reo
Reo
It is a good idea and should be taken more seriously. As an IT Audit and Security professional, in the past I found it difficult to have issues reported, reviewed and corrected in a timely manner. Today, security and audit issues are getting fixed rather fast. To ensure this trend continues, I be...
[ more ] [ reply ]
[ more ] [ reply ]
Linux Kernel Security is Lacking
2005-02-05
Anonymous
Anonymous
Might I also note that every single module in the kernel source tree has a section devoted to the last preson to update that module.
Most if not all of those people are on LKML or can be reached through that facility.
If you have problems about using LKML to talk about a vun. you can ask that ...
[ more ] [ reply ]
Most if not all of those people are on LKML or can be reached through that facility.
If you have problems about using LKML to talk about a vun. you can ask that ...
[ more ] [ reply ]
This has already been addressed...
2005-02-07
Anonymous
Anonymous
The contact for security issues is your distro. This subject keeps coming up, I don't understand why people interested in Linux security don't know this already. Unless they are looking for publicity by "discovering" some breakdown in communication and breaking the "news" to everyone. Get a life....
[ more ] [ reply ]
[ more ] [ reply ]
Linux Kernel Security is Lacking
2005-02-08
Anonymous (1 replies)
Anonymous (1 replies)
"As for Linux, however, one could search through several web sites such as linux.org and kernel.org, sites associated with the Linux kernel, and find nothing whatsoever related to a security contact. Even our good friend Google will lead us nowhere fast. We might find a semi-relevant suggestion that...
[ more ] [ reply ]
[ more ] [ reply ]
Linux Kernel Security is Lacking
2005-02-09
Anonymous
Anonymous
Good points in this article, but isn't it just a bit overblown and hyped up?
Basically this "Security is Lacking" article comes down to one fact: unsatisfactory point of contact.
An important point yes, but as the author acknowleges, one that's already being addressed.
By all means highligh...
[ more ] [ reply ]
Basically this "Security is Lacking" article comes down to one fact: unsatisfactory point of contact.
An important point yes, but as the author acknowleges, one that's already being addressed.
By all means highligh...
[ more ] [ reply ]
Linux Kernel Security is Lacking
2005-02-09
Anonymous
Anonymous
Would publishing a clear point of contact for kernel security issues, as the author suggests, do any harm? I don't see how it could.
Will the kernel benefit if this point of contact resolves even one security issue more quickly? Absolutely.
The fact that this suggestion is even the least bit c...
[ more ] [ reply ]
Will the kernel benefit if this point of contact resolves even one security issue more quickly? Absolutely.
The fact that this suggestion is even the least bit c...
[ more ] [ reply ]
Linux Kernel Security is Lacking
2005-02-09
PiRX
PiRX
As far as I know LKML is the right place to submit bug-reports about kernel. This just is the way Linux is developed - everyone knows about the bug and hackers (in canonical meaning, not criminals) can hack around with code and fix it.
REMEMBER - Linux ain't on "Security by obscurity" way!!!...
[ more ] [ reply ]
REMEMBER - Linux ain't on "Security by obscurity" way!!!...
[ more ] [ reply ]
Contact the module developer?
2005-02-09
Anonymous
Anonymous
I've not looked at kernel code for a few years, but last time I wanted to notify someone of a problem in the code (OK, it was a way of detecting and working around a problem in some silly hardware) I was able to contact the maintainer of that bit of code as discovered from reading its header comment...
[ more ] [ reply ]
[ more ] [ reply ]
Linux Kernel Security is Lacking
2005-02-09
Anonymous
Anonymous
I'm simply amazed at the writer's inability to use google. Doing a google search on the keywords "reporting" "linux" "kernel" "bugs" provides the following URL:
http://www.kernel.org/pub/linux/docs/lkml/reporting-bugs.htm
l
It seems pretty self-explanatory and anyone who's capable of finding a...
[ more ] [ reply ]
http://www.kernel.org/pub/linux/docs/lkml/reporting-bugs.htm
l
It seems pretty self-explanatory and anyone who's capable of finding a...
[ more ] [ reply ]
Linux Kernel Security is Lacking
2005-02-10
Khawar Nehal
Khawar Nehal
BSD and others have more centralized management.
Linux grew faster because it was more decentralized.
I agree that Linux has less security.
Since the writer is from the BSD arena, he is amazed at the openness of Linux development.
At one place he says it should not be a select few then h...
[ more ] [ reply ]
Linux grew faster because it was more decentralized.
I agree that Linux has less security.
Since the writer is from the BSD arena, he is amazed at the openness of Linux development.
At one place he says it should not be a select few then h...
[ more ] [ reply ]
[ more ] [ reply ]